Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.1
October CMS: Malicious Emails Can Run Code on Your Website
CVE-2026-24907
GHSA-j4j5-9x6g-rgxc
GHSA-j4j5-9x6g-rgxc
Summary
Older versions of the October CMS platform are vulnerable to a security risk that allows malicious emails to run code on your website. This could allow hackers to steal sensitive information or take control of your site. To stay safe, update to version 3.7.14 or 4.1.10, or restrict access to email templates and event logs if you can't update right away.
What to do
- Update october system to version 4.1.10.
- Update october system to version 3.7.14.
- Update october october/system to version 4.1.10.
- Update october october/system to version 3.7.14.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| composer | october | system |
>= 4.0.0, <= 4.1.9 <= 3.7.13 Fix: upgrade to 4.1.10
|
| Packagist | october | october/system |
>= 4.0.0, < 4.1.10 < 3.7.14 Fix: upgrade to 4.1.10
|
Original title
October CMS has Stored XSS in Event Log Mail Preview
Original description
A stored cross-site scripting (XSS) vulnerability was identified in the Event Log mail preview feature. When viewing logged mail messages, HTML content was rendered in an iframe without proper sandboxing, allowing JavaScript execution in the viewer's browser context.
### Impact
- Stored XSS via mail template content rendered in Event Log
- Could allow privilege escalation if a superuser views a malicious log entry
- Requires authenticated backend access with mail template editing permissions
- Requires a superuser to view the specific Event Log entry to trigger
### Patches
The vulnerability has been patched in v3.7.14 and v4.1.10. All users are encouraged to upgrade to the latest patched version.
### Workarounds
If upgrading immediately is not possible:
- Restrict mail template editing permissions to fully trusted administrators only
- Restrict Event Log viewing permissions to minimize exposure
### References
- Reported by [Chris Alupului](https://github.com/neosprings)
### Impact
- Stored XSS via mail template content rendered in Event Log
- Could allow privilege escalation if a superuser views a malicious log entry
- Requires authenticated backend access with mail template editing permissions
- Requires a superuser to view the specific Event Log entry to trigger
### Patches
The vulnerability has been patched in v3.7.14 and v4.1.10. All users are encouraged to upgrade to the latest patched version.
### Workarounds
If upgrading immediately is not possible:
- Restrict mail template editing permissions to fully trusted administrators only
- Restrict Event Log viewing permissions to minimize exposure
### References
- Reported by [Chris Alupului](https://github.com/neosprings)
nvd CVSS4.0
5.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 14 Apr 2026 · Updated: 15 Apr 2026 · First seen: 14 Apr 2026